You have probably heard by now that Anthem announced the largest health care cyber attack to date. A database containing names, social security numbers, addresses, dates of birth, and employment and income information for 80 million individuals was hacked.
Today the Wall Street Journal reported that the compromised data was not encrypted.
Do we need to encrypt?
Maybe. The Anthem attack has a lot of covered entities asking whether they need to encrypt their data. Here is what the Office of Civil Rights (OCR) has to say.
While encryption is not mandated, HIPAA does require covered entities to assess whether encryption is a reasonable and appropriate safeguard for their organization. Has your company made this determination? Are you confident that you could defend your position in the media, if faced with a breach?
For more information on encryption, check out the OCR website.